From 3374c87eb2788ca2427061df9e63167846c80b1d Mon Sep 17 00:00:00 2001 From: "kiko%async.com.br" <> Date: Sat, 27 Mar 2004 09:31:00 +0000 Subject: Fix for bug 226754: Move InvalidateLogins into Bugzilla::Auth::CGI. Consolidates the logout code into Bugzilla::Auth::CGI, and provides simple front-end wrappers in Bugzilla.pm for use in the CGIs we have. r=bbaetz, joel; a=justdave. Adds a set of constants to the logout() API which allow specifying "how much" we should log out -- all sessions, the current session, or all sessions but the current one. Fixes callsites to use this new API; cleans and documents things a bit while we're at it. Part I in the great COOKIE apocalypse. --- Bugzilla/Auth/CGI.pm | 60 ++++++++++++++++++++++++++++--------------------- Bugzilla/Auth/Cookie.pm | 4 ---- Bugzilla/Constants.pm | 10 ++++++++- 3 files changed, 44 insertions(+), 30 deletions(-) diff --git a/Bugzilla/Auth/CGI.pm b/Bugzilla/Auth/CGI.pm index c453f2dcd..471e538e9 100644 --- a/Bugzilla/Auth/CGI.pm +++ b/Bugzilla/Auth/CGI.pm @@ -92,10 +92,6 @@ sub login { -value => $logincookie); } - - # compat code. The cookie value is used for logouts, and that - # isn't generic yet. - $::COOKIE{'Bugzilla_logincookie'} = $logincookie; } elsif ($authres == AUTH_NODATA) { # No data from the form, so try to login via cookies @@ -184,29 +180,46 @@ sub login { } # If we get here, then we've run out of options, which shouldn't happen - ThrowCodeError("authres_unhandled", - { authres => $authres, - type => $type, - } - ); - + ThrowCodeError("authres_unhandled", { authres => $authres, + type => $type, }); } +# Logs user out, according to the option provided; this consists of +# removing entries from logincookies for the specified $user. sub logout { - my ($class, $user) = @_; - - if ($user) { - # Even though we know the userid must match, we still check it in the - # SQL as a sanity check, since there is no locking here, and if - # the user logged out from two machines simulataniously, while someone - # else logged in and got the same cookie, we could be logging the - # other user out here. Yes, this is very very very unlikely, but why - # take chances? - bbaetz - my $dbh = Bugzilla->dbh; - $dbh->do("DELETE FROM logincookies WHERE cookie = ? AND userid = ?", - undef, $::COOKIE{"Bugzilla_logincookie"}, $user->id); + my ($class, $user, $option) = @_; + my $dbh = Bugzilla->dbh; + $option = LOGOUT_ALL unless defined $option; + + if ($option == LOGOUT_ALL) { + $dbh->do("DELETE FROM logincookies WHERE userid = ?", + undef, $user->id); + return; } + # The LOGOUT_*_CURRENT options require a cookie + my $cookie = Bugzilla->cgi->cookie("Bugzilla_logincookie"); + detaint_natural($cookie); + + # These queries use both the cookie ID and the user ID as keys. Even + # though we know the userid must match, we still check it in the SQL + # as a sanity check, since there is no locking here, and if the user + # logged out from two machines simultaneously, while someone else + # logged in and got the same cookie, we could be logging the other + # user out here. Yes, this is very very very unlikely, but why take + # chances? - bbaetz + if ($option == LOGOUT_KEEP_CURRENT) { + $dbh->do("DELETE FROM logincookies WHERE cookie != ? AND userid = ?", + undef, $cookie, $user->id); + } elsif ($option == LOGOUT_CURRENT) { + $dbh->do("DELETE FROM logincookies WHERE cookie = ? AND userid = ?", + undef, $cookie, $user->id); + } else { + die("Invalid option $option supplied to logout()"); + } +} + +sub clear_browser_cookies { my $cgi = Bugzilla->cgi; $cgi->send_cookie(-name => "Bugzilla_login", -expires => "Tue, 15-Sep-1998 21:49:00 GMT"); @@ -235,9 +248,6 @@ using the CGI parameters I and I. If no data is present for that, then cookies are tried, using L. -When a logout is performed, we take care of removing the relevant -logincookie database entry and effectively deleting the client cookie. - =head1 SEE ALSO L diff --git a/Bugzilla/Auth/Cookie.pm b/Bugzilla/Auth/Cookie.pm index 7dd2967fb..b50acbe24 100644 --- a/Bugzilla/Auth/Cookie.pm +++ b/Bugzilla/Auth/Cookie.pm @@ -80,10 +80,6 @@ sub authenticate { undef, $login_cookie); - # compat code. The cookie value is used for logouts, and that - # isn't generic yet. Detaint it so that its usable - detaint_natural($::COOKIE{'Bugzilla_logincookie'}); - return (AUTH_OK, $userid); } diff --git a/Bugzilla/Constants.pm b/Bugzilla/Constants.pm index a61cb4620..1ccde6b99 100644 --- a/Bugzilla/Constants.pm +++ b/Bugzilla/Constants.pm @@ -46,6 +46,10 @@ use base qw(Exporter); LOGIN_OPTIONAL LOGIN_NORMAL LOGIN_REQUIRED + + LOGOUT_ALL + LOGOUT_CURRENT + LOGOUT_KEEP_CURRENT ); @Bugzilla::Constants::EXPORT_OK = qw(contenttypes); @@ -83,7 +87,7 @@ use constant CONTROLMAPSHOWN => 1; use constant CONTROLMAPDEFAULT => 2; use constant CONTROLMAPMANDATORY => 3; -# See Bugzilla::Auth for docs for these +# See Bugzilla::Auth for docs on AUTH_*, LOGIN_* and LOGOUT_* use constant AUTH_OK => 0; use constant AUTH_NODATA => 1; @@ -95,6 +99,10 @@ use constant LOGIN_OPTIONAL => 0; use constant LOGIN_NORMAL => 1; use constant LOGIN_REQUIRED => 2; +use constant LOGOUT_ALL => 0; +use constant LOGOUT_CURRENT => 1; +use constant LOGOUT_KEEP_CURRENT => 2; + use constant contenttypes => { "html" => "text/html" , -- cgit v1.2.3-24-g4f1b